When a company suffers a massive data breach that exposes personal information of millions of customers, do those customers have the right to sue that company? The answer typically is yes, but don’t expect a windfall even if the lawsuit is successful.
The question has come up in connection with several high-profile breaches in recent years, the latest involving Facebook. In September, the social-media giant said that an attack exposed the personal information of nearly 50 million users. And we all remember last year’s Equifax breach. That credit-reporting agency revealed that information about as many as 143 million US consumers had been hacked, exposing names, Social Security numbers, birth dates, addresses and driver’s license numbers. Within days, at least 23 proposed class-action lawsuits had been filed against the company. To get a sense of how a lawsuit against Equifax might play out, consider these comparable cases…
•Last year, health insurance company Anthem Inc. agreed to a $115 million settlement stemming from a 2015 hack of about 79 million customers’ information. Under the settlement, victims of the hack could receive an extra two years of credit-monitoring and identity-protection services—in addition to the original two years the company offered. If someone is already enrolled in credit monitoring elsewhere, he/she instead can opt to receive up to $50 in cash. And $15 million was designated to pay victims’ out-of-pocket expenses resulting from the incident.
•In 2016, Home Depot agreed to a $13 million settlement involving a 2014 breach affecting information on more than 50 million customers. Those who had credit or debit card information stolen could have collected up to $10,000 from a fund that covered documented losses such as fraudulent charges on a card as well as time spent remedying issues related to the data breach…and they could have received 18 months of credit monitoring.
If you are eligible to participate in a data breach class-action suit, look for a notice in the mail, but also look for updates on the website of the company that experienced the breach…in the press…or at Consumer-Action.org/lawsuits, which tracks class actions.
Also, be sure to read the fine print in any offer from a company that suffers a breach. Initially, when Equifax offered one year of free credit monitoring, there was a catch. A clause in the offer appeared to strip people who signed up of their right to sue the company, but in the face of tremendous pressure, Equifax dropped that condition.